-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2021-065 Product: ZA|ARC Manufacturer: Softwarebüro Zauner GmbH & Co. KG Affected Version(s): 4.2.0.4 Tested Version(s): 4.2.0.4 Vulnerability Type: Improper Handling of Case Sensitivity (CWE-178) Risk Level: Medium Solution Status: Open Manufacturer Notification: 2021-11-09 Solution Date: No solution yet available Public Disclosure: 2022-04-01 CVE Reference: CVE-2021-45893 Author of Advisory: Sebastian Hamann, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: ZA|ARC is a software that allows archiving digital tachographs. The manufacturer describes the product as follows (see [1]): "Mit ARC können Sie einfach und sicher Ihre digitalen Tachographendaten gemäß dem Fahrpersonalgesetz und der Fahrpersonalverordnung (neu) archivieren. ARC unterstützt sowohl zentrale als auch dezentrale Fuhrparks und kann problemlos Daten aus mehreren Niederlassungen und angeschlossenen Werkstätten konsolidieren. Dadurch eignet sich die Software für alle Fuhrparkgrößen und Organisationsformen." Due to case conversion of passwords, ZA|ARC is vulnerable to password-guessing attacks, where the attacker only needs to try uppercase letters but not lowercase ones (or vice versa). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The application converts passwords of application users to upper case before storing them in the database. This conversion is also applied to the password a user enters on login. Note that this only affects application passwords stored in the table BENUTZER and the column PASSWORT, but not the passwords stored in the column TMPASSWORT in the same table. It may not be possible to use ZA|ARC in compliance with certain common password policies and a corporate environment. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Create an application user and set a password containing at least one letter. Swap uppercase and lowercase letters when logging in. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The issue will not be fixed in ZA|ARC. Upgrade to zaarc.next, when available. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2021-10-19: Vulnerability discovered 2021-11-09: Vulnerability reported to manufacturer 2021-11-10: Vulnerability report acknowledged by manufacturer 2021-11-16: Discussion of technical information with manufacturer 2022-02-15: Manufacturer confirms that the vulnerability will not be fixed for ZA|ARC 2022-04-01: Public disclosure of the vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for ZA|ARC https://www.zamik.de/system/fuhrparkmanagement [2] SySS Security Advisory SYSS-2021-065 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2021-065.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Sebastian Hamann of SySS GmbH. E-Mail: sebastian.hamann@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Sebastian_Hamann.asc Key ID: 0x9CE0E440429D8B96 Key Fingerprint: F643 DF21 62C4 7C53 7DB2 8BA1 9CE0 E440 429D 8B96 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEE9kPfIWLEfFN9souhnODkQEKdi5YFAmJEBw0ACgkQnODkQEKd i5ZzDg//c1IwSI+udoupK6Tf10WkGtj2tnOUfkv4l1FpRB6Z9eX/q+d6Z2rueM3m 5PmqzCr8PzVSELHMJEabfl5E0OVW1+pZt3xVxmDO4nR0wJhqkzmNTeQSiKI8iRtA oWhHpiemR2wiF6Lf+gopv6Jrom+kcaO0Sk9SotiTMqkacOxq9+gqHAs0r+ULm78G jJnzmnfOHJE/Dnq44PRdta/hfL5tjplhJHFBWtxKXM1udq/2Iuvw7EFQm3BQLxLq BFCsq8G28ay3ghJ2M3FAvNVf1hLPmUGYbHDN7P8u5EFJFZN0eTBYbxF2uVoMb8wd jBgnL290Ixc5+fO12Z/Jz8pL0hViYV09a8TvDoTMmxyMWciX+Ubn9obguZLKduUY BhS3dUN1SHr3lZUdDnOHs7Igvaf0ZgNTS3h1HrKMBTctWMZTxI5owt/zeQjo2U2l +3h+lHHGlsdvWcyniUqhGHyZekqUnLBl0vaE9eeuVyGJPgTXSYvOFsk19PXh519H BBnkq5h/m3KWrISmyI9ehUZOEi4q32xfBu9NjzlfGaSYQyP/YKD1L5WPhiGgB6T1 YcoH44Htukqkux0KXdNkX5qSNeFx+M9gPy1H2pMdr/19zCXFx/5CCL05U0EwK/tP ewnmI8UO758qDAffr2M40xOeTC9ycOcY6WLn/BxVyNTArzihrYI= =p2Wx -----END PGP SIGNATURE-----